Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

No clue what the problem is [RESOLVED]


  • This topic is locked This topic is locked

#46
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
* Run Killbox.exe.

* Select "Delete on Reboot".

* Copy the file names below to the clipboard by highlighting ALL of them then press CTRL + C

C:\Documents and Settings\home\Application Data\Sskknwrd.dll
C:\Documents and Settings\home\Application Data\Sskuknwrd.dll
C:\WINNT\alchem.ini
C:\WINNT\artmmp.ini
C:\WINNT\Downloaded Program Files\CONFLICT.4\HDPlugin1019.inf
C:\WINNT\Downloaded Program Files\WUInst.inf
C:\WINNT\system32\rockhard.exe
C:\WINNT\system32\hallo.exe
C:\WINNT\system32\sleepx.exe
C:\WINNT\system32\ludal.exe
C:\WINNT\ludal.exe
C:\WINNT\system32\sleepx.exe[ciaral.exe]
C:\WINNT\system32\sleepx.exe[ludal.exe]
C:\WINNT\system32\hallo.exe[rockhard.exe]
C:\WINNT\system32\hallo.exe[hardrock.exe]
C:\WINNT\SYSTEM32\somepn.exe
C:\WINNT\system32\spoolvvv.exe
C:\WINNT\spoolvvv.exe
C:\WINNT\system32\InetDriver.exe
C:\WINNT\fxsvc.exe
C:\WINNT\system32\scardsvr32.exe


* Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

* Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "OK" at any PendingRenameOperations prompt. If your computer does not restart automatically, please restart it manually.

After your computer reboots, run ActiveScan again and post the log. I know, but it needs to be done again to make sure all those worms are gone because we need to make absolutely sure none are left behind! These worms are nasty and they will just cause severe problems if we miss any of them. Hopefully they will be gone after this last round!

Edited by bananafanafo, 22 June 2005 - 09:14 PM.

  • 0

Advertisements


#47
princessss

princessss

    Member

  • Topic Starter
  • Member
  • PipPip
  • 95 posts
Incident Status Location

Virus:Trj/Ranky.GQ Disinfected Operating system
Adware:Adware/SaveNow No disinfected Windows Registry
Spyware:Spyware/BargainBuddy No disinfected C:\WINNT\system32\cache32_rtneg?
Adware:Adware/MyWay No disinfected Windows Registry
Adware:Adware/CWS No disinfected C:\Documents and Settings\home\Favorites\Fun & Games
Adware:Adware/FunWeb No disinfected Windows Registry
Adware:Adware/PopCapLoader No disinfected C:\Documents and Settings\home\Desktop\the fix\backups\backup-20050622-080508-496.inf
Virus:Worm Generic.GA Disinfected C:\Documents and Settings\home\msconfisio.dat
Possible Virus. No disinfected C:\WINNT\system32\achance.exe
Possible Virus. No disinfected C:\WINNT\system32\anotherone.exe
Possible Virus. No disinfected C:\WINNT\system32\belongt.exe[comeback.exe]
Possible Virus. No disinfected C:\WINNT\system32\belongt.exe[achance.exe]
Possible Virus. No disinfected C:\WINNT\system32\comeback.exe
Virus:Worm Generic.GA Disinfected C:\WINNT\system32\msconfisio.dat
Virus:Trj/Multidropper.AMQ Disinfected C:\WINNT\system32\noidea.exe
Possible Virus. No disinfected C:\WINNT\system32\slvhosts.exe
Possible Virus. No disinfected C:\WINNT\system32\surviv.exe[yetanother.exe]
Possible Virus. No disinfected C:\WINNT\system32\surviv.exe[anotherone.exe]
Possible Virus. No disinfected C:\WINNT\system32\winxpsock.exe
Possible Virus. No disinfected C:\WINNT\system32\yetanother.exe
  • 0

#48
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Try to avoid surfing the Internet as much as possible, because you have indeed picked up new worms :tazz:
  • 0

#49
princessss

princessss

    Member

  • Topic Starter
  • Member
  • PipPip
  • 95 posts
ok im gonna go close down some ports.....brb
  • 0

#50
princessss

princessss

    Member

  • Topic Starter
  • Member
  • PipPip
  • 95 posts
i've closed of dmz it was enabled

doing a port scan

dmz is probably how everything was getting in

wish i knew more about viruses
but i have also closed out web search in the regedit by adding a block
  • 0

#51
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
* Run Killbox.exe.

* Select "Delete on Reboot".

* Copy the file names below to the clipboard by highlighting ALL of them then press CTRL + C

C:\WINNT\system32\achance.exe
C:\WINNT\system32\anotherone.exe
C:\WINNT\system32\belongt.exe
C:\WINNT\system32\belongt.exe[comeback.exe]
C:\WINNT\system32\belongt.exe[achance.exe]
C:\WINNT\system32\comeback.exe
C:\WINNT\system32\slvhosts.exe
C:\WINNT\system32\surviv.exe
C:\WINNT\system32\cache32_rtneg?
C:\WINNT\system32\surviv.exe[yetanother.exe]
C:\WINNT\system32\surviv.exe[anotherone.exe]
C:\WINNT\system32\winxpsock.exe
C:\WINNT\system32\yetanother.exe


* Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

* Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "OK" at any PendingRenameOperations prompt. If your computer does not restart automatically, please restart it manually.

After your computer reboots, run ActiveScan again and post the log along with a new HiJackThis log.
  • 0

#52
princessss

princessss

    Member

  • Topic Starter
  • Member
  • PipPip
  • 95 posts
Incident Status Location

Adware:Adware/SaveNow No disinfected Windows Registry
Spyware:Spyware/BargainBuddy No disinfected C:\WINNT\system32\cache32_rtneg?
Adware:Adware/MyWay No disinfected Windows Registry
Adware:Adware/CWS No disinfected C:\Documents and Settings\home\Favorites\Fun & Games
Adware:Adware/FunWeb No disinfected Windows Registry
Adware:Adware/PopCapLoader No disinfected C:\Documents and Settings\home\Desktop\the fix\backups\backup-20050622-080508-496.inf
  • 0

#53
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Well, whatever you did earlier seemed to have worked! :tazz:

C:\WINNT\system32\cache32_rtneg? <-may be a folder or file, not sure!
C:\Documents and Settings\home\Favorites\Fun & Games <-Folder

After deleting these, post a new HiJackThis log for one last check, then let me know how it's running!!
  • 0

#54
princessss

princessss

    Member

  • Topic Starter
  • Member
  • PipPip
  • 95 posts
Logfile of HijackThis v1.99.1
Scan saved at 6:12:00 PM, on 6/23/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\InterMute\SpySubtract\SpySub.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\home\Desktop\the fix\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://webc<BLOCKED>search.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://start.shaw.ca.../addons/search/
F2 - REG:system.ini: UserInit=C:\WINNT\system32\Userinit.exe
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 6\SnagItBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 6\SnagItIEAddin.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .UVR: C:\Program Files\Internet Explorer\Plugins\NPUPano.dll
O16 - DPF: Yahoo! Bingo - http://download.game...nts/y/xt0_x.cab
O16 - DPF: Yahoo! Pool 2 -
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative....119/CTSUEng.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://www.streamaud...d/ccpm_0237.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by1fd.bay1.ho...es/MsnPUpld.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefend...bitdefender.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab32846.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} -
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsec...scan/axscan.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.c...ers/play365.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredim...er/imloader.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative....12119/CTPID.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
  • 0

#55
princessss

princessss

    Member

  • Topic Starter
  • Member
  • PipPip
  • 95 posts
I have everything i can cross crossed
  • 0

Advertisements


#56
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
And how is it running now?
  • 0

#57
princessss

princessss

    Member

  • Topic Starter
  • Member
  • PipPip
  • 95 posts
it runs wonderfully thank you ;) :tazz: ;)
  • 0

#58
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Excellent! You're very welcome! ;)

Congratulations your log is clean! Great job on the clean up :tazz:

Here are some tips, to reduce the potential for spyware infection in the future, I strongly recommend installing the following applications:

Ewido Security Suite <= Protection against Trojans, Worms, Dialers, Hijackers, Spyware, and Keyloggers.

Detect and Remove Programs:
  • How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
  • How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.
Prevention Programs:
  • Spywareblaster <= SpywareBlaster will prevent spyware from being installed.
  • Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts.
  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
  • Google Toolbar <= Get the free google toolbar to help stop pop up windows.
Other necessary Programs:
  • AntiVirus Program<= An AntiVirus program is a must! Whether it is a free version like AVG or Anti-Vir, or a shareware version like Norton or Kapersky, this is a must have.
  • Firewall<= A firewall is definitely a must have. Three good free versions are Sygate, Kerio, and ZoneAlarm.

  • 0

#59
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP